October 2009

 

Protect Your Account Passwords - Beware of Phishing Attacks
Business Continuity Drill for Central Computer Systems
GroupWise 7 Series: Using 'Filter' to Find Your Message Quick & Easy
24-hour Service at SCC Starting 9 November






Win a Windows Phone by Completing the Survey on ITS Services
 


To solicit users’ feedback and comments on the ITS service provisions so that we can further enhance our service quality, ITS is conducting a staff and student survey to collect feedback from all PolyU staff and students. The survey will help identify current services that may require enhancement and facilitate the University to plan for new services and facilities to meet future demands.  

To encourage participation, 3 Windows Phones will be given away to the survey respondents by a lucky draw. Spend a little time to complete this survey to give us your feedback on our services, and to try your luck at the lucky draw. Please provide your NetID for purpose of the lucky draw. The survey data will be kept strictly confidential.

Deadline: 13 November 2009

 

 
 


 
Good Practices to Protect Your Data on Portable Storage Media and Devices
 

 

The use of external storage media and mobile devices such as USB thumb drives, external harddisk, CD/DVD, notebook, PDA, mobile phone, iPod, etc., has some inherent risks especially with respect to sensitive information.

In general, users should avoid storing confidential / sensitive data on portable storage media and mobile devices. Most confidential data relating to PolyU are accessible online by authorized users through secure connection mechanism of the central IT systems. If you have a practical need to store such data on external storage media and mobile devices, it is essential that you follow the good practices below to protect your data:

 

All confidential data MUST be stored in encrypted format. It is strongly recommended that you use the 128-bit or above Advanced Encryption Standard (AES). Please refer to some suggested solutions below.

For a high level of security protection, the password for encryption/decryption should consist of not less than 8 characters with both alphabetic and numeric characters as well as upper and lower cases.

Besides memorizing the passwords, any physical / electronic copies of the passwords must be kept in a secure location separated from the storage media and mobile devices.
Portable storage media and devices must not be left unattended in public places, automobiles, etc.
Portable storage media and devices must be stored in a secure location when not in use.

If any portable storage media and devices containing confidential data are lost, report immediately to your Head of Department or his/her delegate for necessary actions.

Before the disposal of any portable storage media and devices, all confidential data stored on them must be removed permanently.
Users should be aware of the importance of the encryption/decryption password. Once the password is forgotten, alternate means to retrieve the encrypted data might not be available.

Portable storage media and devices containing confidential data must not be used to store P2P/BT software or other file sharing software; and they must not be connected to any computing facilities containing P2P/BT software or other file sharing software.

To promote and enforce the best practices in data protection for the users and for the University, ITS will continue to organize security briefings and trainings  for users to help upgrade the University community’s competency in handling data / IT security issues. 

 

 

Users may consider using the following data encryption solutions to encrypt your confidential data:

 

Harddisk lock feature that comes with the recent models of notebook computer. Please refer to the user manuals of the respective notebook models or consult the notebook vendor.
Other encryption solutions that are compliant with the 128-bit or above Advanced Encryption Standard (AES). Please click here for some examples.

Please visit the PolyU IT Security Website for more information on the security policies, guidelines and good practices. If you need further information or assistance, please feel free to contact our Help Centre at 2766 5900.


 
 


 
Security Incident on the Internet Web Hosting Server
 

 

There was a security incident on the Internet Web Hosting Server on 7 October 2009. The PolyU home page (www.polyu.edu.hk) and all departmental websites hosted on the Internet Web Hosting Server were not available from 01:00 on 7 October 2009 to 08:15 on 8 October 2009.

The incident was caused by an external attack on the University Web Hosting Server. The attack was launched from an overseas machine, through a vulnerability in PHP scripts lodged in a departmental website. Both the system disk and data disk were erased. The data from the latest backup was restored and the problematic PHP scripts were quarantined to allow service to be resumed.  A system software patch was applied to the Internet and Intranet Web Hosting Servers on 18 October 2009 to enhance the system security.

The University has many distributed servers that could be attacked in this way and it is important for everyone to ensure their equipment does not offer an opportunity for a 'hacker' to vandalise the University’s information systems.

To protect the web account and website contents, web account owners are reminded to:

Change the password of the web account on a regular basis
Verify that the files under the web account were uploaded by you - by checking the ownership and last modification date of the files on a regular basis
Remove unnecessary and obsolete files under the web account
Perform cautious quality checking and security vulnerability scanning during the development, testing and user acceptance phases of your website contents in the testing server 'wwwuat.polyu.edu.hk' before launching to the production platform

If you out-source the development and /or maintenance of your responsible website to another party:

  • Ask the other party to perform quality checks to meet your requirements for the safe operation of the machine.  Remember, they do not carry the final responsibility for the health and safety of your systems. You do.

  • Conduct User Acceptance Test (UAT) with the developer before giving permission for them to launch the changed contents in the production platform.

If execution of web applications/scripts crashes or affects the stability of the Internet Web Server, ITS will quarantine the problematic applications/scripts, which will be followed by an e-mail to the corresponding web account owners.  Be extra-ordinarily careful with testing and security vulnerability checking and help the University protect its reputation for quality and service.

If you are unsure what to do, remember that ITS staff are always available and ready to give you advice and help.

 

 
 


 
Protect Your Account Passwords - Beware of Phishing Attacks
 

 

In early October, thousands of Windows Live Hotmail passwords were published online, which was believed to be the result of a phishing scheme against users of the service.

Phishing attacks are very common online. Phishers usually will set up a false web site of a well-known bank, financial company, government organization, etc. They will then send legitimate-looking e-mails to random users, asking them to visit the web site where they would be required to login or to confirm / update their personal information.

 

 

To avoid being phished, always remember the followings when handling e-mails, especially those unexpected ones:

Registered financial institutions such as banks normally WILL NOT request users to confirm or update their password or any personal information by clicking on a link and visiting their web sites.

If you receive an unexpected e-mail saying your account will be shut down unless you confirm your information, DO NOT reply or click any links in the e-mail body. Contact the concerned organization to confirm the truthfulness of the mail and to get advice.

Even if you believe that the e-mail is genuine and want to check out the web site, DO NOT click the link embedded in the e-mail. Instead, open your web browser and type the URL in the address field. This will save you from being unknowingly redirected to a false web site hidden behind the URL.

If you suspect that you have mistakenly surrendered your personal or financial information at a phishing site, contact your bank, credit card company or the related organization immediately.

 

It is also noted that for convenience purpose, some users would adopt the same username and password pair for logging in to different services like online banking, e-mail and instant messaging, social networking, etc. This is, in fact, very dangerous as that would provide access to all your different service accounts which may contain personal information once your password is cracked or phished.

It is therefore strongly recommended that you would use different passwords for different services. In particular, please make your NetPassword for your PolyU NetID unique so as  to protect your personal data hosted on the University’s central computer systems.

 

 
 


 
November Staff IT Training Programmes
 

 

Training Workshops

You may view the full list of workshops offered in November and make online enrolment via the Staff IT Training Workshop Enrolment System. You will be notified instantly of the enrolment results.

 

Online Courses

  November Online Courses

A

Access 2007: Level 1 &2

  Access 2007: New Features

 

Acrobat 8: New Features

 

Acrobat 9.0 Pro: Level 1 & 2

E

Excel 2007: Level 1 & 2

 

Excel 2007: New Features

G

GroupWise 7.0 Level 1-1: Using GroupWise E-mail

 

GroupWise 7.0 Level 1-2: Organizing E-mails and Address Book in GroupWise

  GroupWise 7.0 Level 1-3: Using GroupWise Calendar and Resources
  GroupWise 7.0 Level 2-1: Exploring Advanced Mail and Message Features

 

GroupWise 7.0 Level 2-2: Exploring WebAccess, Rules and Access Rights

P

PowerPoint 2007: Level 1 & 2

 

PowerPoint 2007: New Features

 

Project 2007: Level 1 & 2

 

Publisher 2007

S

Security Awareness (Part 1): Accessing a Computer, a Network and the Internet in a Secure Manner

 

Security Awareness (Part 2) : Maintaining File and Email Security

 

Security Awareness (Part 3): Promoting Web Security and Proper Responses to Security Incidents

 

SharePoint Designer 2007: Level 1 & 2

 V

Visio 2007 Professional: Level 1 & 2

  What's New in Visio 2007

W

Windows Vista : New Features

 

Word 2007: Level 1 & 2

 

Word 2007: New Features

Please click here for the detailed description of each course. To enrol, please complete and return the web-based proforma reply and you will be informed of the enrolment results in early November via e-mail.

Enquiries: 4566
 
 


 
A New Round of Software Asset Management (SAM) Exercise – Scan Your PCs/ Notebooks by 13 November
 

 

As communicated earlier to all staff via e-mail, the Software Asset Management (SAM) exercise for 2009 has commenced with the detailed schedule as below:

Phase 1: 27 October - 13 November

All colleagues who 'own' a University PC/notebook or 'oversee' laboratories and/or functional PCs shall visit the PolyU SAM website at the URL https://sam.polyu.edu.hk to access the  SAM System, and to conduct scanning on each operating system installed on your PCs/ notebooks as well as each virtual machine hosted on the computers. Each software item installed on the PCs/notebooks will be classified into one of the following categories:

  • PolyU Site Licence -- Software licensed centrally by PolyU through ITS
  • Departmental Licence -- Software provided to you by your department
  • Utilities Licence -- Software tools that are bundled with the hardware provided to you by your department
  • Personal Licence -- Software licences you own
  • Shareware Licence -- Software licensed to you under a condition
  • Freeware Licence --  Software that you can use for free
  • Unclassified Items -- Software that cannot be classified as any of the above
Please review each category and re-classify any software item as you see appropriate. Do provide a remark in the space provided to clarify the re-classification. You must resolve all unclassified/unlicensed software items found in your PCs/notebooks.

 

Phase 2: 9 November – 11 December

Departmental CLOs/SAM Managers shall follow up with the scanning results of the department. They may send reminder e-mails to colleagues who have not yet scanned their computers or resolved all the unclassified items.

 

Phase 3: 14 December onwards

CLOs/SAM Managers shall review and re-classify the latest results to ensure that all computers within the Department are scanned and sufficient software licences are acquired for staff in the department.

 

Phase 4

IAU may subsequently conduct audits in departments/offices as they did in the past.

Based on the feedback and suggestions from general users and departmental SAM Managers on the last year's exercise, the web-based SAM system has been enhanced to further improve its user-friendliness. Briefing / Training sessions for departmental CLOs / SAM Managers and general users have been conducted in October to introduce the new features of the enhanced SAM system. The SAM User Guides are also available for access by all staff under the SAM website.

If you encounter any problems with the SAM exercise, please contact the ITS Help Centre at Ext. 5900, or Mr WK Kwok (Ext. 5886) / Mr Ernest Yu (Ext. 7940) of ITS.

 

 
 


 
Business Continuity Drill for Central Computer Systems
 

 

This year, 22 mission critical services were tested in the annual Business Continuity Drill (BCD).  The purpose of the intensive testing is to ensure that in the event of a disaster striking one of the University Data Centres, the University will be able to continue to operate from the alternative data centre.

The BCD was conducted in two separate parts on 1 October 2009 (National Day, Thursday) and 26 October 2009 (Chung Yeung Festival, Monday) between 07:00 to 15:00. 

The BCD involved staff from ITS and the Administration Offices. The BCD simulated the failure of mission critical systems in our Main Computer Room (MCR) and Secondary Computer Room (SCR) separately.

This year the mission critical services tested included:  Academic Unix Service, AS Systems, Financials Systems, CHRIS, RO Systems, HKCC/SPEED Systems, SAO Systems, Internet and Intranet Web Hosting Servers, University Portal, Campus Email Service, Network Infrastructure and Services, myWeb and myStore.  For services that were not established as mission critical, ‘fail over’ services were unavailable during the time of the tests.

The tests were very successful but as always, some particular instances of mis-behaviour were identified.

In particular, some Power Builder applications could not complete the tests and will be subject to retesting to ensure that they will behave appropriately in the event of a real disaster.

The staff involved gave up their two holidays to ensure that the University has highly available mission critical systems. The University appreciates their effort and thanks them for a job well done.

 

 
 


 
GroupWise 7 Series: Using ‘Filter’ to Find Your Message Quick & Easy
 

 

With a huge number of messages in your GroupWise mailbox, it may not be easy to locate a particular message item. Here’s a quick and easy way to do so by using the ‘filter’ function. 

In the GroupWise 7 client, there is a 'Filter' box at the top right hand corner. Simply enter a keyword in the text box. All the messages containing the keyword will be displayed.

To clear the filter, simply remove the keyword from the filter box. Alternatively, you may click the filter icon and select 'Clear Filter’ from the drop down menu.

From the drop down menu, you can select to filter by Categories, such as ‘Filter for Received Items’, ‘Filter for Sent Items’, etc.

You can also select ‘Filter…’ from the menu to further customize your filtering criteria.

 

 
 


 
Renewal of SAS Software Licence for 2010
 

 

To achieve cost-effectiveness on an institutional-wide basis, ITS has centrally coordinated the acquisition and free distribution of 4 modules of the SAS software, including BASE, GRAPH, IML and STAT, to departments.

The current licence for the SAS software would expire on 30 December 2009. To facilitate the renewal arrangements for 2010, Departmental CLOs (Computer Liaison Officers) are requested to indicate the number of licence that would be required by their department/office in the coming year by returning the web-based Proforma Reply by 13 November 2009.

For departments/offices which have acquired other SAS modules with their own budget, they will be contacted separately for the licence renewal arrangements.

For enquiries, please contact Ms Cecilia Chan at Ext. 5934.

 

 
 


 
24-hour Service at SCC Starting 9 November